1 / 42

Quasigroup transformations and their cryptographic potentials

Quasigroup transformations and their cryptographic potentials. Ass. Prof. Danilo Gligoroski Institute of Informatics, Faculty of Natural Sciences, Skopje, Republic of Macedonia. Overview. Examples and definitions of latin squares and quasigroups Latin squares in mathematics

wayne
Télécharger la présentation

Quasigroup transformations and their cryptographic potentials

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Quasigroup transformations and their cryptographic potentials Ass. Prof. Danilo Gligoroski Institute of Informatics, Faculty of Natural Sciences, Skopje, Republic of Macedonia

  2. Overview • Examples and definitions of latin squares and quasigroups • Latin squares in mathematics • Latin squares in cryptology • Examples and definitions of quasigroup string transformations • Edon block cipher • Edon stream cipher • Edon-C hash function • Edon-PRNG • Quasigroup Cryptanalysis, definition and examples • Conclusions and future work

  3. Examples A Latin Square A Latin Square A Quasigroup (Q,) A Latin Square

  4. Examples (cont.) Every quasigroup has 5 conjugates (parastrophes). A Quasigroup (Q,) xy=z  zx=y xy=z  zy=x xy=z  xz=y xy=z  yx=z xy=z  yz=x

  5. Definitions

  6. Definitions (cont.) • Wolf, M. 1989. “Nondeterministic Circuits, Space Complexity and Quasigroups”, Computer Sciences Technical Report #870. Computer Sciences Department, University of Wisconsin -- Madison. • "Definition: A Latin square is an n x n grid with each of the integers 1,2,...,n appearing exactly once in each row and column." • "If each of the integers 1,2,...,n appears as a label for exactly one row and exactly one column then the Latin square can be viewed as a multiplication table of a quasigroup. We formalize the definitions of groups and quasigroups by considering the following four properties of a set Q with an associated binary operation *. For all a,b,c in Q: • (1) There is a unique x such that a*b=x. • (2) There is a unique x such that a*x=b. • (3) There is a unique x such that x*a=b. • (4) (a*b)*c=a*(b*c) • Definition: Q is a quasigroup if * satisfies properties 1,2 and 3. • Definition: Q is a group if * satisfies properties 1,2,3, and 4.

  7. A short mathematical history about Latin Squares • First written reference in 1723 • 36 officers problem – Euler 1779, introduced the phrase “Latin square” • Steiner (1853) proposed the problem of arranging N things in triplets, such that every pair occurs in just one and only one triplet. Such an arrangement may be called a simple triplet system or a Steiner's triplet system. • 1870’s - 1890 A. Cayley (multiplication table of a group – Cayley table is Latin square) • 1873-1890, E. Shroeder (about quasigroups with identity element – loop) • 1930’s Moufang (close connection between projective planes and non-associative quasigroups) • F. Yates (1936), - Balanced Incomplete Block Design • 1960’s – 2000’s Enumeration of latin squares of order n, Critical sets in Latin Squares and Quasigroup Completion Problem.

  8. A short mathematical history about Latin Squares (cont.) • 1995 -- McKay, B. and E. Rogoyski. 1995. Latin Squares of Order 10. Electronic Journal of Combinatorics. 2(3): 1-4. Table 1: Numbers of normalized Latin rectangles) For n=256, T>>1058000 ??!!?? • To obtain the total number of Latin rectangles, not necessarily normalized, multiply L(n,n) by n!(n-1)! i.e. T=L(n,n) n! (n-1)! Table 2. Estimates of L(n,n) for larger n.

  9. A short cryptology history about Latin Squares • 1949 –Shannon, C. Communication Theory of Secrecy Systems. Bell System Technical Journal. 28: 656-715. "Perfect systems in which the number of cryptograms, the number of messages, and the number of keys are all equal are characterized by the properties that (1) each M is connected to each E by exactly one line, (2) all keys are equally likely. Thus the matrix representation of the system is a ‘Latin square’." (p. 681)

  10. A short cryptology history about Latin Squares (cont.) • S-boxes in Substitution/Permutation Networks block ciphers – every S-box can be seen as row or column of an quasigroup (some examples) • Lucifer 1970’s (uses two S-boxes mapping 4 bits to 4 bits) • As two rows of a quasigroup of order 16. • DES 80’s (uses 8 S-boxes mapping 6 bits to 4 bits) • 8 rows of 8 Latin squares of order 64x64. • AES 1999, (one S-box mapping 8 bits to 8 bits) • One row of a quasigroup of order 256.

  11. A short cryptology history about Latin Squares (cont.) • “Non-Expanding, Key Minimal, Robustly-Perfect, Linear and Bilinear Ciphers”, by Massey, Maurer and Wang, (Advances in Cryptology -- EUROCRYPT '87. 237-247. Springer-Verlag). Section 2 introduces the notion of a robustly-perfect block cipher and shows the connection of such ciphers to Latin squares. • "Discrete Mathematics Using Latin Squares" by Laywine and Mullen, Chapter 14, covers: • 14.2 encryption based upon the theory of sets of MOLS • 14.3 secret sharing schemes based on critical sets • 14.4 Diffie-Hellman key exchange and RSA in the group of row-Latin squares • "DESV: A Latin square variation of DES" by Carter, Dawson, and Nielsen (Proceedings of the Workshop on Selected Areas in Cryptography, Ottawa, Canada, 1995) • "Black box cryptanalysis of hash networks based on multipermutations“ Schnorr and Vaudenay (Eurocrypt '94 pp47-57)

  12. f f f A short cryptology history about Latin Squares (cont.) • Denes and Keedwell, 1992, Authentication scheme based on Latin squares • Bakhtiari, Safavi-Naini, Pieprzyk, 1997, MAC based on Latin Squares Basic idea … Transformations on quasigroup(s)

  13. Quasigroup string transformations • 1997 – 2003, Gligoroski, Markovski, Andova, Bakeva, Stojcevska, Kusakatov, Institute of Informatics, Faculty of Natural Sc., Skopje Basic idea Letters frequency 00102300120010020003 e0()=21023130113013002131 d0()=22130002111213201223 e0()= d0()=

  14. Quasigroup string transformations - definitions

  15. Quasigroup string transformations - definitions

  16. More definitions

  17. Some interesting properties of quasigroup string transformations Let (Q,) is a quasigroup, aQ, and (Q,) is its corresponding first parastrophe. Then for every string  Q+, da(ea())=. Theorem for uniform distribution of letters in transformed strings

  18. Some interesting properties of quasigroup string transformations (cont.) Transformation of strings with 4x4 Quasigroups. There are 576 4x4 quasigroups. For every {0,1,2,3}ll=1..6, there is at least one Q and k such that (e0(e0(…(e0())…)=00…0. (e0() is applied k times) For n=7 there are 45 strings (0.27%) that CAN NOT be transformed in 00…0 For n=8 there are 2,517 strings (3.84%) that CAN NOT be transformed in 00…0 For n=9 there are 34,455 strings (13.14%) that CAN NOT be transformed in 00…0 For n=10 there are 255,732 strings (24.39%) that CAN NOT be transformed in 00…0 For n=11 there are 2,042,895 strings (48.71%) that CAN NOT be transformed in 00…0 For n=12 there are 10,122,285 strings (60.33 %) that CAN NOT be transformed in 00…0 • Transformation of strings with 5x5 Quasigroups • There are 161280 5x5 quasigroups. • I have checked for every {0,1,2,3,4}ll=1..12, andALWAYSthere is at least one Q and k such that (e0(e0(…(e0())…)=00…0. (e0() is applied k times) Open problem What are the smallest lengths of strings in n (n>4) letters alphabet, that can not be transformed in 00…0?

  19. Edon – block cipher • Variable length of blocks • Variable length of keys • For embeded systems (hardware implementation) can use 2 quasigroups of order 16, and their first conjugates. In total 512 bytes for quasigroup storage, and with the code, less then 1024 bytes. • In software implementation uses 2 quasigroups of order 256, and their first conjugates. In total 256 Kb.

  20. Edon – block cipher (notation) • Message block: M=m1m2 ... ml of length l bytes. • Key: K=q1q2 ... qk of length k bytes. • Inner key string P=p1p2 ... pk of length k bytes. • Cipher block: C=c1c2 ... cl of length l bytes.

  21. I phase: Key sheduling for obtaining inner key string P=p1p2 ... pk of length k bytes from the key string K=q1q2...qk. P:=K; For i:=1 to k do begin If (q[i] mod 2)=0 then P:=(e transform of P with first quasigroup and leader q[i]); Else P:=(d transform of P with second quasigroup and leader q[i]); If i<k then RotateRight(P); end; II phase: Encryption of a message block Mj=m1m2 ... ml of length l bytes with the inner key string P=p1p2 ... pk of length k bytes. For i:=1 to k do begin If (p[i] mod 2)=0 then M:=(e transform of M with first quasigroup and leader p[i]); Else M:=(d transform of M with second quasigroup and leader p[i]); If i<k then RotateRight(M); end; Edon – block cipher (ENCRYPTION)

  22. Edon – block cipher (ENCRYPTION)

  23. I phase: Key sheduling for obtaining inner key string P=p1p2 ... pk of length k bytes from the key string K=q1q2...qk. P:=K; For i:=1 to k do begin If (q[i] mod 2)=0 then P:=(e transform of P with first quasigroup and leader q[i]); Else P:=(d transform of P with second quasigroup and leader q[i]); If i<k then RotateRight(P); end; II phase: Dencryption of a block Cj=c1c2 ... cl of length l bytes with the inner key string P=p1p2 ... pk of length k bytes. For i:=kdownto 1 do begin If (p[i] mod 2)=1 then C:=(e transform of C with parastrophe of second quasigroup and leader p[i]); Else C:=(d transform of C with parastrophe of first quasigroup and leader p[i]); If i>1 then RotateLeft(C); end; Edon – block cipher (DECRYPTION)

  24. Edon – block cipher (DECRYPTION)

  25. Edon – block cipher (Cryptanalysis) • Variable length of a key means that it has variable number of rounds • Different usage of e or d transformation has a role of “confusion” and “diffusion” • Differential cryptanalysis after 4 rounds shows uniform distribution for almost every pair of two quasigroups.

  26. Edon – block cipher (Cryptanalysis) (cont.)

  27. Edon – block cipher (Cryptanalysis) (cont.)

  28. Edon – block cipher (Cryptanalysis) (cont.)

  29. Edon – block cipher (Cryptanalysis) (cont.)

  30. Edon – stream cipher (ENCRYPTION) No key sheduling. Inner key string P=p1p2 ... pk=K=q1q2...qk. • For i:=1 to k do If (p[i] mod 2)=0 begin M:=(e transform of M, with first quasigroup and with leader p[i]); p[i]:=m[l]; end else begin temp:=m[l]; M:=(d transform of M, with second quasigroup and with leader p[i]); p[i]:=temp; end;

  31. Edon – stream cipher (DECRYPTION) • For i:=k downto 1 do If (p[i] mod 2)=1 begin C:=(etransform of C, with the parastrophe of second quasigroup and with leader p[i]); p[i]:=c[l]; end else begin temp:=c[l]; C:=(dtransform of C, with the parastrophe of first quasigroup and with leader p[i]); p[i]:=temp; end;

  32. Edon – stream cipher (ENCRYPTION) (cont.)

  33. Edon – C, cryptographic hash function • Hash output length N can be variable • Security properties doesn’t depend on initialization vector – easy transformation in MAC • Restriction: In the quasigroup should be no element x such that xx=x

  34. Edon – C, cryptographic hash function (cont.) • Message block: M=m1m2 ...ml of length l bytes. • Output hash length N. • Initialisation vector H0=h1h2 ...hN • Quasigroup cyclic vector transformation definedas: If =a0a1 ...aN-1, =b0b1 ...bN-1 then

  35. Edon – C, cryptographic hash function (cont.) Algorithm 1. Pad the message M=m1m2 ...ml and obtain new message M’ such that the length L of the new message is multiple of N i.e. L=N by this transformation: 2. Initialize the hash vector H0=h1h2 ...hN 3. For i=1 to  do Hi=C(MiHi-1) 4. Output H

  36. Uses K internal states of random function represented as a vector M=m1m2 ... mK For cryptographic purposes K should be at least 16. Seed is the initial value of the vector M. One quasigroup of order 256. Initialize PRNG Vector M takes initial K values i.e. M=m1m2 ... mK 2. Get next 32 bit random number For i:=1 to 8 do M:=e0(M) next_32_bit_random= mk||mk-2||mk-4||mk-6 || is concatenation. Edon – PRNG We made more then 1000 experiments to check the quality of produced random files (with Diehard and FIPS1402), and never find any situation of falling on some test. Our claims that this PRNG is secure are based on the fact that produced 32 bit random number is concatenation of non-neighbouring bytes after 8 rounds of quasigroup string transformation of the seed vector.

  37. This “encrypting” scheme is easy breakable with the “known plaintext” attack (if the quasigroup is known). For one quasigroup (Q,) define the following string transformation (QCA2): Transform a message block Mj=m1m2 ... mk of length k bytes with the key string P=p1p2 ... pk with the following procedure: For i:=1 to k do Begin M:=(e transform of M with leader p[i]); If i<k then RotateRight(M); end; Quasigroup cryptanalysis (work in progress)

  38. Quasigroup cryptanalysis (work in progress) (cont.) Algorithm QCA2 • 1. Convert a stream of pairs {Mi,Ci} i=1,2,…, obtained by some cryptographic source (algorithm X) into a number base n. • 2. Choose an arbitrary key string P=p1p2 ... Pkwhere elements pj are in the base n. • 3. Search for a quasigroup (Q,) such that QCA2(Mi)=Ci for as much as possible values of i, until the number of elements in the corresponding partial Latin square is ~30% of n2. • 4. Try to solve Quasigroup Completion Problem with the obtained partial latin square and to obtain a quasigroup (Q,). • If the probability P{Q(P,M)=C}> for C=X(M), then we say that QCA2 has broken the algorithm X with success rate .

  39. Quasigroup cryptanalysis (work in progress) Some experiment results • Experiment 1:RSA system where n has small value (12 bits).A latin square of order 64x64 that with QCA2 can successfully simulate ~27% the work of RSA. • Experiment 2:RSA system where n has small value (20 bits).A latin square of order 64x64 that with QCA2 can successfully simulate ~10% the work of RSA. • Experiment 3: AES encryption in ECB mode of 1,000,000 blocks of 128 bits “PT” – every block is different. Produced file “CT” is passing every known statistical test of randomness. Then I applied QCA2 on “PT” and “CT” and it proposed around 100 quasigroups of order 256. Around 10% of them can bijectivelytransform “CT” such that transformation fails drasticly on statistical tests.

  40. Latin square of order 40x40. With QCA2 it can successfully simulate 2.5% of an RSA system where n has small value and 12 bits.

  41. Quasigroup cryptanalysis (work in progress) • Question: How big should be the order of the quasigroup n, such that it can brake an RSA 1024 with a success rate of 1%? • Answer (speculative): If n=216, then every massage with less then 1024 bits can be represented with 64 letters. For storing one quasigroup of order n=216 we need 8 GB memory. The number of elements in such a quasigroup is 232, and to fullfill 30% of them we will need around ~231 pairs {Mi,Ci}. • Answer (speculative): If n=224, then every massage with less then 1024 bits can be represented with 43 letters. For storing one quasigroup of order n=224 we need 768 TB memory, and to fullfill 30% of it we will need around ~247 pairs {Mi,Ci}.

  42. In cryptography Make more cryptoanalysis of Edon algorithms Develope protocols for embedding one smaller quasigroup into another bigger one, and build hierarchies of trusted levels of communication. In cryptanalysis Make more experiments with QCA2, with well known crypto algorithms: DES, 3-DES, AES, RSA, DH, ... Convert QCA2 into an algorithm QCA1 that makes cryptanalysis only with cipher text. Future work with quasigroup transformations in cryptology In theory of computing • Efficient algorithms for quasigroup transformation of strings with desired frequency distribution. I am interested for research cooperation. Thanks.

More Related